--- kind: compose metadata: name: Traefik description: 'Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. This template sets up Traefik with automatic HTTPS using Let''s Encrypt and can be integrated with Authentik for SSO. ## References - **Project:** https://traefik.io/ - **Documentation:** https://doc.traefik.io/traefik/ - **GitHub:** https://github.com/traefik/traefik' version: v3.6.7 author: Christian Lempa date: '2026-01-15' tags: - swarm - volume icon: provider: simpleicons id: traefikproxy draft: false next_steps: "Start the `{{ service_name }}` project\n{% if swarm_enabled %}\n1. Deploy Traefik to Docker Swarm:\n `docker\ \ stack deploy -c compose.yaml {{ service_name }}`\n{% else %}\n1. Copy the project directory for `{{ service_name\ \ }}` to the host.\n2. Start Traefik with Docker Compose from the project directory:\n `docker compose up -d`\n{% endif\ \ %}" schema: '1.2' spec: general: vars: service_name: default: traefik container_name: type: str container_hostname: type: str container_timezone: type: str container_loglevel: type: enum options: - debug - info - warn - error restart_policy: type: enum options: - unless-stopped - always - on-failure - 'no' default: unless-stopped required: true ports: vars: ports_dashboard: description: Dashboard port (external) type: int default: 8080 required: true needs: - dashboard_enabled=true extra: Only used when dashboard is enabled ports_http: default: 80 extra: Maps to entrypoint 'web' ports_https: default: 443 extra: Maps to entrypoint 'websecure' traefik: title: Settings vars: accesslog_enabled: description: Enable Traefik access log type: bool default: false dashboard_enabled: description: Enable Traefik dashboard type: bool default: false extra: 'WARNING: Don''t use in production!' prometheus_enabled: description: Enable Prometheus metrics type: bool default: false security_enabled: description: Create production-ready security headers middleware type: bool default: true extra: Enables HSTS, XSS protection, frame denial, etc. traefik_network: extra: Network that Traefik uses to connect to services traefik_network_external: description: Use existing Docker network (external) type: bool default: false traefik_tls: title: TLS Settings vars: traefik_tls_acme_email: description: Email address for ACME type: str required: true traefik_tls_acme_region: description: AWS Region type: str default: us-east-1 required: true needs: - traefik_tls_certresolver=route53 traefik_tls_acme_resource_group: description: Azure Resource Group type: str required: true needs: - traefik_tls_certresolver=azure traefik_tls_acme_secret_key: description: DNS provider secret key type: str sensitive: true required: true needs: - traefik_tls_certresolver=azure,godaddy,porkbun,route53 extra: AZURE_CLIENT_SECRET, GODADDY_API_SECRET, PORKBUN_SECRET_API_KEY, or AWS_SECRET_ACCESS_KEY traefik_tls_acme_subscription_id: description: Azure Subscription ID type: str required: true needs: - traefik_tls_certresolver=azure traefik_tls_acme_tenant_id: description: Azure Tenant ID type: str required: true needs: - traefik_tls_certresolver=azure traefik_tls_acme_token: description: DNS provider API token type: str sensitive: true required: true needs: - traefik_tls_certresolver=cloudflare,digitalocean,godaddy,namecheap,porkbun extra: CF_DNS_API_TOKEN, DO_AUTH_TOKEN, GODADDY_API_KEY, NAMECHEAP_API_KEY, or PORKBUN_API_KEY traefik_tls_acme_username: description: Namecheap API username type: str required: true needs: - traefik_tls_certresolver=namecheap traefik_tls_certresolver: description: ACME DNS challenge provider options: - cloudflare - porkbun - godaddy - digitalocean - route53 - azure - namecheap extra: DNS provider for domain validation traefik_tls_enabled: description: Enable HTTPS/TLS with ACME default: false traefik_tls_min_version: description: Minimum TLS version type: enum options: - VersionTLS12 - VersionTLS13 extra: TLS 1.2 is recommended for compatibility, TLS 1.3 for maximum security traefik_tls_redirect: description: Redirect all HTTP traffic to HTTPS type: bool default: true traefik_tls_secure_ciphers: description: Enable strict cipher suites (recommended) type: bool extra: Enforces modern, secure cipher suites traefik_tls_skipverify: description: Skip TLS verification for backend servers type: bool extra: 'WARNING: Only enable for self-signed certificates in trusted environments' volume: vars: volume_mode: type: enum options: - local - mount - nfs default: local required: true volume_mount_path: type: str default: /mnt/storage needs: - volume_mode=mount required: true volume_nfs_server: type: str default: 192.168.1.1 needs: - volume_mode=nfs required: true volume_nfs_path: type: str default: /export needs: - volume_mode=nfs required: true volume_nfs_options: type: str default: rw,nolock,soft needs: - volume_mode=nfs required: true swarm: vars: swarm_placement_mode: type: enum options: - replicated - global default: replicated required: true swarm_replicas: type: int default: 1 needs: - swarm_placement_mode=replicated required: true swarm_placement_host: type: str description: Target hostname for placement constraint default: '' needs: - swarm_placement_mode=replicated extra: Constrains service to run on specific node by hostname swarm_enabled: type: bool default: false description: Enable Docker Swarm mode